127.0.0.1 on firehol_level4
#143

Comments

I found a curious thing happen with att.com, the firewall I use was blocking it and saying it was coming from the level4 block list. It turns out that 127.0.0.1 (localhost) is in the level4 block list for some reason.

Can you take that off the list? I don't think it's supposed to be on the list.

Thanks.

This comment has been minimized.

right now update-ipsets does not filter-out any IPs.
I resist to the idea of filtering out IPs, since this may significantly alter the effectiveness of certain lists. After all, update-ipsets should not get any such decisions.

Could you please explain how you use it?

I understand that you could use any of these strategies:

match the blacklist only on the internet interface. If you do this right, you should want to block packets from/to 127.0.0.1 since they are by definition bad packets.

use a whitelist on your firewall, and only blacklist IPs that are not in the whitelist. This is also a good strategy, given that bad ip list maintenance may block you out of your systems.

The last resort could be to use iprange to filter out the whitelisted IPs from the ip feeds you use. To do this, create a text file with the IPs you want to whitelist and run:

iprange blacklist --exclude-next whitelist >accepted_blacklist

However I strongly suggest to follow both 1 and 2. If you need help achieving this, post here and I'll help you.

right now update-ipsets does not filter-out any IPs.
I resist to the idea of filtering out IPs, since this may significantly alter the effectiveness of certain lists. After all, update-ipsets should not get any such decisions.

Could you please explain how you use it?

I understand that you could use any of these strategies:

match the blacklist only on the internet interface. If you do this right, you should want to block packets from/to 127.0.0.1 since they are by definition bad packets.

use a whitelist on your firewall, and only blacklist IPs that are not in the whitelist. This is also a good strategy, given that bad ip list maintenance may block you out of your systems.

The last resort could be to use iprange to filter out the whitelisted IPs from the ip feeds you use. To do this, create a text file with the IPs you want to whitelist and run:

iprange blacklist --exclude-next whitelist >accepted_blacklist

However I strongly suggest to follow both 1 and 2. If you need help achieving this, post here and I'll help you.

All these are private IPs, unroutable to the internet. Shall I remove them?

Since they are listed on firehol_level4 someone got an attack from these IPs. He was receiving packets from the internet with source IP, one of these IPs.

These IPs should not be a problem for you, if your firewall was blacklisting IPs the right way.

Apparently you are blocking all traffic from/to firehol_level4 without checking anything else. This is the problem. You should only block firehol_level4 on your internet interface. This way the IP 127.0.0.1 should have been blocked only if it was found on the internet interface, and you should want this to happen.

All these are private IPs, unroutable to the internet. Shall I remove them?

Since they are listed on firehol_level4 someone got an attack from these IPs. He was receiving packets from the internet with source IP, one of these IPs.

These IPs should not be a problem for you, if your firewall was blacklisting IPs the right way.

Apparently you are blocking all traffic from/to firehol_level4 without checking anything else. This is the problem. You should only block firehol_level4 on your internet interface. This way the IP 127.0.0.1 should have been blocked only if it was found on the internet interface, and you should want this to happen.

If someone has been attacked from a bogon I'd think that was their problem
and not the rest of us or anyone using a public block list.

I'd suggest you filter out bogons on the general level lists because those
networks / IP ranges are on a separate bogon list that people can download
an use - if they had, they wouldn't have been attacked. :-)

All these are private IPs, unroutable to the internet. Shall I remove them?

Since they are listed on firehol_level4 someone got an attack from these
IPs. He was receiving packets from the internet with source IP, one of
these IPs.

These IPs should not be a problem for you, if your firewall was
blacklisting IPs the right way.

Apparently you are blocking all traffic from/to firehol_level4 without
checking anything else. This is the problem. You should only block
firehol_level4 on your internet interface. This way the IP 127.0.0.1
should have been blocked only if it was found on the internet interface,
and you should want this to happen.

If someone has been attacked from a bogon I'd think that was their problem
and not the rest of us or anyone using a public block list.

I'd suggest you filter out bogons on the general level lists because those
networks / IP ranges are on a separate bogon list that people can download
an use - if they had, they wouldn't have been attacked. :-)

All these are private IPs, unroutable to the internet. Shall I remove them?

Since they are listed on firehol_level4 someone got an attack from these
IPs. He was receiving packets from the internet with source IP, one of
these IPs.

These IPs should not be a problem for you, if your firewall was
blacklisting IPs the right way.

Apparently you are blocking all traffic from/to firehol_level4 without
checking anything else. This is the problem. You should only block
firehol_level4 on your internet interface. This way the IP 127.0.0.1
should have been blocked only if it was found on the internet interface,
and you should want this to happen.

This comment has been minimized.

Thanks! However, it is more complex than that. firehol_level1 for example, includes bogons by design. I intentionally added it for blocking all the IPs that should never appear on your internet interface.

firehol_level4 should be used on top of level3, level2 and level1. Each additional level (starting from level1) filters out more IPs with the risk of more false positives.

firehol_level4 is a very risky IP list. As its description says it may include a large number of false positives.

I have designed these levels so that under normal conditions you should only use level1. If you face an attack, you include level2 (attacks of the last 48 hours). If it is not effective include level3 (attacks of the last 30 days). If, even all these are not effective, then include level4. With level4, you risk blacklisting some of your legit users but it may help you to stop the attack.

Of course you are not forced to use these. Just combine the ones you need yourself (and even exclude IP lists you don't want included). I have provided all the tools for this, so you can do it. Of course if you believe you have combined a list that can be useful to others too, just give me the rules and I'll add them to update-ipsets so that others can download the final product of it.

Thanks! However, it is more complex than that. firehol_level1 for example, includes bogons by design. I intentionally added it for blocking all the IPs that should never appear on your internet interface.

firehol_level4 should be used on top of level3, level2 and level1. Each additional level (starting from level1) filters out more IPs with the risk of more false positives.

firehol_level4 is a very risky IP list. As its description says it may include a large number of false positives.

I have designed these levels so that under normal conditions you should only use level1. If you face an attack, you include level2 (attacks of the last 48 hours). If it is not effective include level3 (attacks of the last 30 days). If, even all these are not effective, then include level4. With level4, you risk blacklisting some of your legit users but it may help you to stop the attack.

Of course you are not forced to use these. Just combine the ones you need yourself (and even exclude IP lists you don't want included). I have provided all the tools for this, so you can do it. Of course if you believe you have combined a list that can be useful to others too, just give me the rules and I'll add them to update-ipsets so that others can download the final product of it.

This comment has been minimized.

Thanks! However, it is more complex than that. firehol_level1 for example,
includes bogons by design. I intentionally added it for blocking all the
IPs that should never appear on your internet interface.

firehol_level4 should be used on top of level3, level2 and level1. Each
additional level (starting from level1) filters out more IPs with the risk
of more false positives.

firehol_level4 is a very risky IP list. As its description says it may
include a large number of false positives.

I have designed these levels so that under normal conditions you should
only use level1. If you face an attack, you include level2 (attacks of the
last 48 hours). If it is not effective include level3 (attacks of the last
30 days). If, even all these are not effective, then include level4. With
level4, you risk blacklisting some of your legit users but it may help you
to stop the attack.

Of course you are not forced to use these. Just combine the ones you need
yourself (and even exclude IP lists you don't want included). I have
provided all the tools for this, so you can do it. Of course if you believe
you have combined a list that can be useful to others too, just give me the
rules and I'll add them to update-ipsets so that others can download the
final product of it.

Thanks! However, it is more complex than that. firehol_level1 for example,
includes bogons by design. I intentionally added it for blocking all the
IPs that should never appear on your internet interface.

firehol_level4 should be used on top of level3, level2 and level1. Each
additional level (starting from level1) filters out more IPs with the risk
of more false positives.

firehol_level4 is a very risky IP list. As its description says it may
include a large number of false positives.

I have designed these levels so that under normal conditions you should
only use level1. If you face an attack, you include level2 (attacks of the
last 48 hours). If it is not effective include level3 (attacks of the last
30 days). If, even all these are not effective, then include level4. With
level4, you risk blacklisting some of your legit users but it may help you
to stop the attack.

Of course you are not forced to use these. Just combine the ones you need
yourself (and even exclude IP lists you don't want included). I have
provided all the tools for this, so you can do it. Of course if you believe
you have combined a list that can be useful to others too, just give me the
rules and I'll add them to update-ipsets so that others can download the
final product of it.

This comment has been minimized.

I have run into a similar problem with localhost's IP address(es). Ktsaou's solution -- to subject only internet interfaces to internet blacklisting -- seems very correct but it adds complexity to the maintenance of various workstations and servers. The extra complexity comes from the fact that interface names differ with hardware/driver combinations, and they are subject to considerable variation and change.

My current solution is to use firehol_level1, but to omit enabling the "fullbogons" ipset. I don't see any convenient way to use fullbogons, even though I would like to, since it includes 127.0.0.0/16 and there's no convenient way to exclude it.

I have run into a similar problem with localhost's IP address(es). Ktsaou's solution -- to subject only internet interfaces to internet blacklisting -- seems very correct but it adds complexity to the maintenance of various workstations and servers. The extra complexity comes from the fact that interface names differ with hardware/driver combinations, and they are subject to considerable variation and change.

My current solution is to use firehol_level1, but to omit enabling the "fullbogons" ipset. I don't see any convenient way to use fullbogons, even though I would like to, since it includes 127.0.0.0/16 and there's no convenient way to exclude it.